HSM systems

The timing of the KSK rollover is mainly down to external factors. The HSM systems (hardware security modules) that we purchased in 2010 were replaced late last year. Although we had initially intended to roll over the keys within five years, we decided to wait until the HSM systems were decommissioned, project manager Marc Groeneweg says. That gave us the opportunity to see whether we could transfer the existing KSKs from the old system to the new one. Fortunately, the transfer went well.

Rollover of the KSK pair for the superordinate root zone was originally planned for this summer. There needed to be a good gap between our rollover and the superordinate rollover, because if something goes wrong following two simultaneous changes, the cause can be hard to identify. We therefore chose a quiet time, to minimise the risk of interference. The rollout of the KSK pair for the root zone was later put back to next year, but our plans were by then in place and we decided not to change them.

Careful approach

In principle, our KSK rollover is the same as the rollovers regularly performed by DNS operators for their DNSSEC-secured domain names. At the TLD level, however, the potential consequences of an error are much greater. Organisational and process reliability are also more significant. That is why our rollover is much slower and very strictly regulated.

The rollover is organised in line with our DNSSEC Policy and Practice Statement .nl, which defines the DNSSEC policies and protocols that we follow. The technical procedure is based on RFC 6781 (DNSSEC Operational Practices, Version 2) and RFC 7583 (DNSSEC Key Rollover Timing Considerations).

Implementation

The actual rollover begins with the generation of a new key pair (in the HSMs). The private KSK is then used to sign the existing public ZSK keys. Next, the new public KSK and the new signatures are published in the .nl zone. That means that the zone then includes the DNSKEY and RRSIG records for both the new KSK pair and the old pair. Hence, everything covered by either KSK pair is valid (double-signature KSK rollover method).

Once the new records are universally known, the new public KSK is submitted to IANA, the part of ICANN responsible for management of the root zone. After checking that everything is in order, IANA signs the new public KSK for the .nl domain with its own private ZSK key and publishes the signature in the root zone as a new DS record for .nl.

Publication of the new DS record completes the new chain of trust above .nl. Finally, once the new records are universally known, the process of deleting the records and signatures linked to the old KSK pair can begin.

Serious about security

The operation is now almost complete and has been problem-free thus far. Late last week, the new DS record was added to the root zone by IANA. This week, the old KSK pair will be phased out from the .nl zone. Although DNSSEC is very sensitive to errors and has complex timing parameters, Groeneweg says that a rollover is very straightforward technically. Other TLD registries regularly have to implement rollovers as well. And the reliability of the procedure is enhanced by practice drills twice a year.

It is much more important that we are seen to take the protection of our private key and therefore the stability and security of the .nl domain very seriously.